Multiparty Symmetric Sum Types 



Lasse Nielsen Nobuko Yoshida Kohei Honda 

DIKU, University of Copenhagen Imperial College London Queen Mary, University of London 

Abstract This paper introduces a new theory of multiparty session types based on symmetric sum 
types, by which we can type non-deterministic orchestration choice behaviours. While the original 
branching type in session types can represent a choice made by a single participant and accepted by 
others determining how the session proceeds, the symmetric sum type represents a choice made by 
agreement among all the participants of a session. Such behaviour can be found in many practical sys- 
tems, including collaborative workflow in healthcare systems for clinical practice guidelines (CPGs). 
Processes using the symmetric sums can be embedded into the original branching types using con- 
ductor processes. We show that this type-driven embedding preserves typability, satisfies semantic 
soundness and completeness, and meets the encodability criteria [18,, 9) adapted to the typed setting. 
The theory leads to an efficient implementation of a prototypical tool for CPGs which automatically 
translates the original CPG specifications from a representation called the Process Matrix to symmetric 
sum types, type checks programs and executes them. 

1 Introduction 

Clinical Practice Guidelines (CPGs) ll2ll are detailed descriptions of medical treatment procedures, prac- 
tised globally with local variations, in order to treat specific medical disorders. CPGs are an example of 
social interactions, which include workflow models and various cooperation models: its richness stems 
from the diverse collaborative patterns human organisations can exhibit. One such pattern, which plays a 
prominent role in CPGs, is symmetric synchronisation where all the participants are equal in the decision- 
making, i.e. the participants collectively decide on one of the possible choices. 

Motivated from practice, this paper aims to distill the essence of this symmetric synchronisation as an 
interaction primitive, position it as part of the type theory for the asynchronous 7t-calculus with multiparty 
sessions, and explore its properties to model workflow frameworks, enjoying the richness of multiparty 
session types to express how data is exchanged. Our starting point is a widely known semi-formal mod- 
elling framework for CPGs and other workflows called Process Matrix lfT4l . which provides a concise and 
general description of symmetric synchronisation patterns as found in CPGs. 

The new synchronisation primitive is generally useful, also for other calculi and applications. We add 
the symmetric synchronisation primitive to the asynchronous 7t-calculus and study it in a typed setting 
because it allows us to model CPGs as types, and enables correctness and erasure properties. 

We explain the key ideas of Process Matrix and CPGs using an example from a CPG with three partici- 
pants: A doctor (D), a nurse (AO and a patient (P). The doctor and the nurse need to register and inspect the 
patient, thus they must obtain the patient data (Data), schedule an appointment (Schedule) and inspect the 



Figure 1.1 Cases in the healthcare cooperation example 
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patient (Inspect). The actions can be divided between the doctor and the nurse in four different ways, since 
they both can collect the data and schedule the appointment but only the doctor may inspect the patient. 
The four cases are illustrated in the table in Fig. ll.ll For example in Case ND, the nurse obtains the patient 
data and the doctor schedules and performs the inspection. In this way, the doctor and the nurse need to 
perform a different combination of actions depending on which case is chosen, thus they need to commit 
to the same choice, in order for the cooperation to work. This choice cannot be implemented directly using 
the asymmetric choice (as found in branching/selection primitives in the foregoing session types |[20l[TTi ). 
since the decision would be done by a single participant and not by common agreement. 

Our aim is to obtain a general modelling framework which can uniformly capture both symmetric 
synchronisations and existing session-based communication patterns. Such a framework will give a basis 
for the implementation of a tool for CPGs where one can describe, validate and execute specifications 
backed up by static validation coming from the theory. For this purpose we incorporate the synchronisation 
primitive in the type theory for multiparty sessions from SEE!, so different groups of principals freely 
can mix standard asymmetric communications and symmetric synchronisations. The resulting sessions are 
abstracted as types, enabling type-based validation which ensures type and communication safety. 

We offer the first prototype implementation of the 7t-calculus with multiparty sessions, with a type- 
checker using multiparty session types with full projections. Our implementation includes the symmetric 
synchronisation primitive and verification using symmetric sum types. This allows us to implement, verify 
and execute the examples used to explain and motivate the extension. 

The use of types is not only essential for modelling CPGs and validating processes, but also enables 
an organised analysis of the synchronisation primitive. Using a type-directed translation, we show that 
the primitive can be embedded into the asymmetric branching in the original multiparty sessions ||4~1[12"1. 
The translation generates auxiliary processes from the types, and combines them with an encoding of the 
sum into asymmetric branch types, respecting global interaction patterns and preserving semantics, by ex- 
ploiting the type structure. The auxiliary process generated from a type conducts the synchronisations of 
a session by receiving accepted cases from participants and sending the chosen case back. To prove its 
correctness, we use a new technique based on derivations of the multiparty session typing. The resulting 
translation introduces exponentially more branching cases (e.g. 64 for the running example), demonstrat- 
ing the practical usefulness of the symmetric sum for compact description as well as offering a formally 
founded distributed implementation strategy of the primitive. 

Next we present the calculus for multiparty symmetric synchronisation (Section [2]) and study its type 
theory (Section [3]). We then define a type-directed encoding (Section |4} of the symmetric sum into the 
asynchronous multiparty session; and investigate its encodability criteria by adapting the framework from 
|[T8l to the typed setting. Finally we present an application of the theory to the formal CPG verifica- 
tion (Section [5]), with a prototype implementation available from [It]. The technical contributions include 
subject reduction (Theorem 13.21 ) and type/semantic correctness of the encoding (Theorems 14.11 14.21 and 
I4.4I ). The implementation demonstrates the correctness, feasible implementability and significance of the 
new primitive. In particular, an automatic mapping from Process Matrix to global types (Section [5]) shows 
the expressiveness of multiparty session types. Appendix in the full version ifTTl includes the omitted 
definitions, examples and proofs, though the paper can be read independently. 
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Figure 2.1 The process language 
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2 Processes with Synchronisation 

This section introduces the syntax (Fig. 12.11 ) of the asynchronous multiparty session 7t-calculus [12 ] with 
the new sync primitive, and the judgement P — ^ P' (Fig. 12.21 where e \.v denotes the evaluation of the ex- 
pression e to the value v) describing the small-step semantics for processes. The syntax defines the values: 
{v,w, . . .}, expressions: {e,e' , . . .} and processes: {P, Q, . . .} from the sets of channel names: {a,b, . . .}, 
value variables: {x,y, . ..}, session channels: {s,t, . . .}, labels: {l,m, . . .} and process variables: {X,Y, . . .}. 

Session request, a[2..n](s).P initiates a session with channels 5 (where s denotes a vector si . . .s n ) over 
the public channel a with the other n — 1 participants of shape a[p](s).Qp for p from 2 to n ([Link] in 
Fig. I2.2I ). Asynchronous communication in an established session is performed by sending and receiving 
values ([Send,Recv]), transferring a session using session delegation and reception ([Deleg,SRec]), and 
label selection and branching ([Label,Branch]), where the branching process offers a number of labels 
and the selecting process chooses one of them. 

The new sync^jZ : constructor is interpreted as the process participating in a plenum decision 

between all the n processes in the session s reaching a common decision h from L. Afterwards the process 
proceeds as described in P/,. In [Sync] in Fig. 12.21 h in the premise denotes the common label. We also add 
the rand{P,}, e / constructor which randomly selects one of its branches ([Rand]). This primitive can be 
expressed using if and a random expression (hence it does not add expressiveness from |[T2l ). but simplifies 
the erasure mapping in Section 01 
Figure 2.2 The reduction rules 
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Figure 2.3 Healthcare Example without sync 



P D = II Doctor 
a [ 2 ] ( d , s , r , cp , cn ) . 
if randjtrue , false} 
then 

cp< CaseD ; cn< CaseD ; d?(data); 
if randjtrue , false} 
then 

cp<aCaseDD ; cn<lCaseDD ; s ! { eSchedule ) ; r ! { eResult ) ;end 
else 

cp<iCaseDN ; cn<lCaseDN ; r ! { eResult ) ;end 
else 

cp<] CaseN ; cn< CaseN ; 
if randjtrue , false} 
then 

cp<lCaseND ; cn<CaseND ; s ! { eSchedule ) ; r ! { eResult ) ;end 
else 

cp<iCaseNN ; cn<lCaseNN ; r ! { eResult ) ;end 



Pp = II Patient 
5[2..3](d,s,r,cp,cn). pd> 
{CaseD : d ! { eData ) ; cpt> 
{CaseDD 
CaseDN 

{ eData ) ; pdt> 
s?( schedule ) 



CaseN : d 
{ CaseN D 
CaseNN 



s?( schedule ); r?( result );end, 
s ?( schedule ); r ?( re s u 1 1 ) ;end }, 

'(result) ;end , 
s ?( schedule ); r ?( r e s u 1 1 ) ;end } 



} 

P N = II Nurse 
a [ 3 ] ( d , s , r , cp , cn ) . cno 
{ CaseD : cn> 
{CaseDD: end, 
CaseDN : s ! { eSchedule ) ;end } , 
CaseN: d?(data); cnfr 
{CaseND: end, 
CaseNN : s ! { eSchedule ) ;end } } 



In [Sync], the processes cannot perform the synchronisation if they do not share some common label, 
in which case the processes will be stuck. We also need to know how many participants are in the session 
in order to know when the synchronisation can step; otherwise the processes will be stuck. The typing 
system introduced in the next section ensures that sync satisfies these two conditions. 

Healthcare Cooperation (1): Processes We motivate the symmetric synchronisation using the example 
from the introduction. We first explain the problem when representing this interaction without sync. As 
explained in the introduction, there is no rigorous way to decide which of the four cases will occur, as well 
as who will be the principal decision maker: we could let the doctor non-deterministicaily decide between 
the cases, and then we obtain the processes in Fig. 12.31 if we are to use the processes from lfl2l : similarly 
we could let the nurse or even the patient decide. None of these representations captures the cooperation 
where the doctor, the nurse and the patient should reach a common decision, because it is impossible to 
know who takes the initiative. Another problem is that we need to specify the choices in Pp, which is best 
captured by non-deterministic expressions like rand. 

Fig. 12.41 describes the same example using sync where the intended cooperation is directly modelled. 
The case is logically decided by two choices: first it is decided who receives the patient data, and then it 
is decided who schedules the inspection. Since these decisions are not necessarily made at the same time, 
the processes select the case using two sequential synchronisations. 

Figure 2.4 Healthcare Example using sync 

P P = II Patient 

5[2..3](d,s,r). sync( ( d , s , r ) , 3 ) 
{CaseD: d ! { eData ) ; sync( ( d , s , r ) , 3 ) 

{CaseDD: s ?( schedule ); r? ( result ) ;end, CaseDN: s ?( schedule ); r ?( re suit ) ;end }, 
CaseN: d ! { eData ) ; sync( ( d , s , r ) , 3 ) 

{CaseND: s ?( schedule ); r ?( re s u 1 1 ) ;end , CaseNN: s ?( schedule ); r ?( re s u 1 1 ) ;end } } 

P D = II Doctor 
a[2](d,s,r). sync((d, s , r ) ,3) 

{CaseD: d?(data); sync( ( d , s , r ) , 3 ) {CaseDD: s!{ eSchedule ); r ! { eResult ) ;end , CaseDN: r!{ eResult ) ;end }, 
CaseN: sync( ( d , s , r ) , 3 ) {CaseND: s ! { eSchedule ) ; r ! { eResult ) ;end , CaseNN: r ! { eResult ) ;end } } 

P N = II Nurse 

a[3](d,s,r). sync((d, s , r ) ,3) 

{CaseD: sync( ( d , s , r ) , 3 ) {CaseDD: end, CaseDN: s!{ eSchedule ) ;end }, 

CaseN: d?(data); sync( ( d , s , r ) , 3 ) {CaseND: end, CaseNN: s!{ eSchedule ) ;end } } 
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Figure 3.1 The Domains used for Global and Local types 
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3 Symmetric Sum Types 

We start by defining the global types G in Fig. 13.11 which specifies global session protocols between 
the participants. Except for the symmetric sum type, the syntax is from fl2ll . The type p — > p' : k{U).G' 
expresses that participant p sends a message of type U along channel k to p' and then interactions described 
in G' take place. The type p — > p' : k{l { : G,-},- e / expresses that p sends one of the labels to p'. If / ; - is sent, 
interactions described in Gj take place. Type yd.G is a recursive type, assuming type variables (t, t' , . . .) are 
guarded in the standard way. We assume that G in the grammar of sorts is closed, i.e., without free type 
variables. Type end represents the session termination. 

The sum type {/ : Gi}i e f,M represents a synchronisation where the labels are taken from the set L and 
the non-empty set M. The labels in L are optional, but the labels in M are mandatory and must be accepted 
by all the participants. The mandatory labels will be underlined to distinguish them from the optional 
labels (e.g. {/ : G,} /e{/1};{/2} = {11 : G lu l_2 : G /2 }). 

The local types T are defined in Fig. 13.11 They describe the communication performed by a single 
process. Therefore the "from process to process on channel" syntax is simply changed to sending or 
receiving on a channel. Thus the sending type is k\(U);T and represents sending a message of type U on 
channel k, followed by the communication described by T. The type of receiving is k?(U);T, the type of 
selecting is k@ {I : Ti}i e l and the type of branching is k & {1 : 7}}/ e £. The difference from |[T2l is that the 
symmetric sum type constructor {/ : T\)\^l-m is added where L,M satisfies the conditions similar to those 
of a global sum type. 

The message type T@(p,m,n) is used for delegation. It describes an open session, and includes infor- 
mation about the participant number p, the number of session channels m, and the number of participants 
n in the session together with a local type T describing the remaining communication. 

Finally we define the global environment T containing the global types for shared channels u, and 
process variables X, and the local type environment A containing the remaining session communication 
in Fig. 13.11 where 5 : T@{p,n) means s is an open session with n participants, where T describes the 
remaining communication for participant p. 

The projection G |p of a global type G for a participant p generates the local type for the participant 
in an intuitive way, for example (p — > pj : k(U).G') \p becomes k\{U);(G' |~p) if p = p and p / p P 
The differences from the definition in |[T2l is that we have added a case for the symmetric sum type, 

{{I ■ Gi}i eL - M )\p = {1 : (Gi\p)} leL - M . 

A global type G is coherent |[T2l if and only if the projection Gfp is defined for all participants, and G 
does not allow racing conditions (linearity). We only consider coherent global types. 

Judgement The typing judgement extends the one from [12] with symmetric sum types. The judgement 
r h P D> A states that the process P in the environment T performs exactly the session communication 
described in A. 
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Figure 3.2 Selected typing rules 

[Rand] V; e IT h P,- > A [Sync] V/ EL" : Th P/ > A,j : 7}@(p,n) L" CLUL' L'CL' 
T h rand{P,}, G/ > A T h sync,-„{/ : fi} /et » > A,s : {1 : 7}} /6i;L ,@(p,n) 

[Mcast] rhfl:(G) rhPl>A,s: (G[l)@(l,«) |j| = max(sid(G)) n = max(pid(G)) 

n-a[2. .n](s).P>A 

[Macc] rha:(G) rhP>A,j : (Gfp)@(p,«) |j| = max(sid(G)) « = max(pid(G)) 

r\-a\p](s).P>A 

[Send] \fjT\-ej:Sj T\-Pt>A,s : r@(p,n) [Rev] r,i : ShPo A,s : r@(p,n) 
rh* t !(e);P>A,j:i!(S);7'@(p,f!) r h ^.?(I);P [> A,s : k1(S);T@(p,n) 

[Sel] rhP[>A,5: r@(p,«) /jgL [Branch] VleL: rhP ; >A,i : 7}@(p,n) 

rh s t </z;P> A,i : k® {I : 7}} /6i @(p,n) rhi t >{/ : Pt} leL > A,s : kl{l : 7}} /6i @(p,n) 

[conc] ri-Pt>A rr-2>A' 

: (dom A n dom A' = 0) 



The main rules are included in Fig. 13.21 The local types now cany information about the number 
of participants n and channels m. The number of participants and channels is determined at the session 
initialisation in the rules [MCAST] and [MACC], where sid(G) denotes channels that appear in G and 
pid(G) denotes the participants that appear in G. The rule [Sync] checks that the synchronisation uses the 
correct number of participants, the accepted branches includes the mandatory ones and does not exceed the 
optional ones, and checks that each accepted branch is typed with the correct communication. The typing 
rule [Rand] checks that each choice in a rand process has the same session environment. 

Since the process is reduced by each rule-application, the typability question r h P > A is decidable. 

Healthcare Cooperation (2): Types We explain how the types can describe and verify the healthcare 
scenario in the Introduction. Recall the processes from Fig. 12.41 To type Pp\ Pd\ Pn, we need a matching 
type-environment first. The processes use the public channel a to create a session, so the environment must 
be of the form T = a : (G) for some global type G. 

We will start by finding the type describing the interactions in CaseND. First the participants select the 
choice CaseN and the patient sends the data to the nurse. Then the participants select the choice CaseND, 
the doctor sends the schedule to the patient, and finally the doctor sends the result to the patient. 

When the patient has id 1, the doctor has id 2 and the nurse has id 3 the described communication for 
CaseND is described by the type 

{ CaseN : l->3: 1 < Sdata ) . ( CaseND : 2-^1: 2 ( S schedule ) . 2-^1: 3(Sresult). end} } 



Figure 3.3 Global Type G and Patient Projection for Healthcare Example 
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{CaseDD: 2->l :2 { Sschedule ) ;2 


,->l :3 { Sresult ) ;end, 


{CaseDD: 2? { Sschedule ) 


;3 ? ( Sresult ) ;end, 


CaseDN: 3->l :2 ( Sschedule ) ;2 


,-s-l :3 { Sresult ) ;end 


CaseDN: 2? ( Sschedule ) 


;3 ? ( Sresult > ;end 


}. 




}. 




CaseN: 




CaseN: 




1->3:1 (Sdata) ; 




1 ! (Sdata) ; 




ICaseND: 2->l : 2 ( S schedule ) ;2 


.->1 :3 { Sresult ) ;end, 


{CaseND: 2? ( Sschedule ) 


;3?(Sresult) ;end, 


CaseNN: 3->l :2 { Sschedule ) ;2 


.->1 :3 { Sresult ) ;end 


CaseNN: 2? ( Sschedule ) 


;3?(Sresult);end 


} 




} 




} 




} 
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Figure 4.1 Synchronisation message flows 




(a) Choice without sync (b) Choice using sync (c) Choice after erasure 



Performing the same reasoning for CaseDD, CaseDN and CaseNN and adding their branches to the sym- 
metric sums results in the global type G in Fig. 13.31 We select CaseND, CaseDN and CaseN as the manda- 
tory labels. Since all participants must accept the mandatory choices, this means that it is always possible 
for the participants to agree on a choice in each of the synchronisations. We can then find the local type for 
the patient process as the patient's projection of G, given in Fig. 13.31 Using this type and the projections 
we can now typecheck the processes. 

Proposition 3.1 a: (G)\- P D \P N \P P > 0. 

We end this section by proving subject reduction, from which we can derive soundness, communication 
safety and progress |[T2l § 5] as corollaries. Below A — > / 1 A' denotes zero or one step using the type 
reduction lfT2l . which represents the communication between dual local types. For instance, a reduction 
between input and output types is defined as: k\(U);Ti@(-p,n),k?(U);T2@(q,n) — > 7i@(p,n),72@(q,«). 
We extend it to the symmetric sum as: {{/ : Tp, . . -}@(p,?i)}pG{i..;i} — > {7p@(P)")}pe{i..n}- 

The formulation uses the extension of the typing to runtime processes (r h P Of A), which corresponds 
to the presented typing on processes without open sessions, but also accept processes with open sessions. 
This is obtained by joining compatible session environments (A, A') using the Ao A' operation to a single 
environment expressing the communication in both A and A'. Then we have: 

Theorem 3.2 (Subject Reduction) 

IfF h P>? A, A coherent and P -> P' then T h P' >gA' where A -*- / 1 A'. 
PROOF: By induction on the derivation of P — > P'. 

4 From Symmetric Sum to Conducted Branching 

This section studies an erasure of symmetric synchronisation, which translates away symmetric sums us- 
ing existing session primitives, which we hereafter simply call the erasure. The erasure removes all occur- 
rences of the sync constructor while preserving static and dynamic semantics, i.e. typability and reduction. 
It uses a conductor process for each session. The messages and protocol used to implement the synchro- 
nisation are illustrated in Fig. 14.11 where the numbers indicate the sequence of the messages. Fig. 14. If a) 
shows the communication between the processes without using sync in Fig. 12.31 Fig. I4.1f b) shows the 
communication between the processes using sync in Fig. 12.41 where no messages are sent, because the 
synchronisation ensures the same branch is chosen. Fig. I4.1f c) shows the conduction messages in the pro- 
cesses where the synchronisation has been erased in Fig. 14.51 First the patient, the doctor and the nurse 
send the cases they can accept to the conductor, who chooses a common case and sends the selected case 
to the patient, the doctor and the nurse. 
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Figure 4.2 Erasure of Synchronisation from Typing-Derivation 
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4.1 Erasure Definitions 

Based on this idea, we translate the synchronisation and symmetric sum types into the original system |[T2l . 
step by step as follows. 

Step 1: Process Erasure Only well-typed processes are eligible for erasure, because conductor processes 
are generated from the global types. Therefore the erasure $ [•] is defined on the type derivation in Fig. 14.21 
and the result is the erased process. We use the notation 3> :: T h P > A to denote a derivation Q) with the 
conclusion r h P o A. 

The case for session request increments the number of participants by one, to make room for the 
conductor process, and adds two session channels per user (in? p and out ? p), for communicating with the 
conductor. The conductor process [G] f n a (defined in Step 2) is inserted in parallel with the resulting 
session requesting process to ensure it is available. 

The case for synchronisation sends the accepted labels to the conductor, waits to receive one of the 
accepted labels and proceeds with the selected branch. 

Step 2: Conductor Generation The conductor process ^ \G\ Sn a was inserted in parallel with the session 
requests by the process erasure in Step 1. The main cases of the conductor generation ^ [•] are in Fig. 14.31 
Notice that ^[[G]] fna is only a wrapper for ^[G]^, which prefixes the session acceptance on channel a. 
In [Gjy n a , 5 is the original session channels, n is the number of original participants, G is the original 
session type, and a is the channel the session is created over. 

The conductor process generated from a synchronisation receives the accepted labels from each par- 
ticipant, selects a common label using rand and sends the selected label back to each participant before 
conducting the chosen branch. 

Step 3: Type Translations To prove that typability is preserved by the erasure, we define translations of 
global types, local types, message types, global type environments and local type environments to find the 
types for the result of the erasure. The main cases for global types are defined in Fig. 14.41 The translation 
[G] of global types is just a wrapper for [Gj* where n is the number of participants, and m is the number 
of session channels in the original type. 
Figure 4.3 Conductor Process Generation from a Global Type 

^ l G ls,n,a = a[n+i\ (s, in fJ , out ?) i , . . . , in f; „, outs, ,,).'# [Gj£ n 
\{l : Gi}i eL - M j* Sn = outji > {cases LlU M : . . . : out. m > {cases^uM : 

randjin^ </;...; in m <l\ c € [G,]* s -}/enf =1 l,um}l„cl ■ ■ -j^ci 
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Figure 4.4 Erasure Mapping for Global Types 


[G] = H G J m ax(pid(G)),max(sid(G)) 




W-Gl}leL-MYn,m = l^n+l:(m + 2){case.s LlUM : 




2 — s> n+1 : (m + 4){casesi 2U M '■ ■ 




n — > n+1 : (m + 2- n){case,S£ n LW 




n+1 -> 1 : (m + l){/ : n+1 -> 2 : 


(m+3){2 : ... 


n+l^n: (m + 2-n-l){/ : [G/] 


B,m) ■ ' •}}/en; , =o£>UM}L„CL ■ • -}ucl 



As previously suggested, the symmetric sum is translated to nested branching, where each participant 
sends the accepted labels to the conductor, receives the selected label and continues with the selected 
branch. 



4.2 Correctness 

We now prove the correctness of the erasure mapping. We start by proving that the typing is preserved, 
and the types of the result process is given by the denned type translations. 

Theorem 4.1 (Type Preservation) If 9 :: r h P o A then [T] h g \9\ O [A] 

PROOF: By induction on the type derivation 9. The proof uses a lemma stating that the generated con- 
ductor processes are well-typed. 

Next we prove that process congruence (P = Q) is preserved by the erasure. 
Theorem 4.2 (Congruence Preservation) 

If S>\ :: T h P Of A then for all Q we have that P = Q if and only if there is a derivation 3$2 T h Q Of A 
such that £ \9x\ = S\9t\. 

Congruence preservation suggests the erasure preserves semantic properties. We start by stating the sound- 
ness theorem. To do this we define conductors for partially completed sessions: PC(A) as the set of possible 
partial conductor processes generated from A. By using the partial conductors from the session environ- 
ment it is now possible to state the soundness theorem. 

Theorem 4.3 (Soundness) If 9 :: T \- P Of A, P ->• P', A coherent and P c G PC(A o A") for some A" then 
there is a derivation Q)' :: ThP'OfA' and P' c £ PC(A' o A") 
such that A A' and S \9\ \P C -t* £ \&\ \P' C . 

PROOF: By induction on the derivation of P — > P'. 

We can extend the above theorem to multiple steps by induction on the number of steps. Also the found 
evaluation of $ \S>\ — >* $ \&\ performs exactly the same communication on all non-conductor channels 
as the original evaluation P — >* P'. 

We will now define conduction steps, since they play an important role in formulating the completeness 
theorem. This is because all steps performed by the result of the erasure can be mimicked by the original 
process up to conduction steps. A step from Pi to P2 is a conduction step, written P\^P2 if the step 
performs label selection or label branching on a conductor channel or unfolding of a conductor process; 
otherwise we write Pi—^Pj. We observe all the extra steps introduced by the erasure are of the form —r, 
while the other steps are of the form — Therefore there is a one-to-one correspondence between the — i 
steps of the erased process, and the steps in the original process. 

Theorem 4.4 (Semantic Completeness) If £ \S>\ :: T h Pi O 0] — >* Q' then there exists a derivation £$2 
T h P 2 ><dandQ such that P x P 2 and £ \3f\ -^*Q and Q'^*Q. 
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Figure 4.5 Example Processes after Erasure 



a[4](d,s,r,in_p ,out_p , 

in_d,out_d,in_n, out.n ) . 
out.p > 

{cases.DN: out.d o 
{cases.DN: out.n o 
{cases.DN : 
rand { 

in_p <i CaseD ; 
in_d o CaseD ; 
in_n <a CaseD ; 
o u t _ p > 

{cases.DN: out.d > 
{cases.DN: out.n > 
{ cases.DN : 
rand 

{in_p < CaseDD 
in_d < CaseDD 
in_n < CaseDD 

end , 

in_p < CaseDN 
in.d < CaseDN 
in_n < CaseDN 
end } , 
cases _D : ... } , 
cases _D : ... } , 
cases _D: ... } }, 
cases.N : ... } , 
cases _N : ... } , 
cases.N : ... } 



a[2..4](d,s,r, in_p, out.p , 

in.d , out_d , in_n , out.n ). 
out_p<lcases_DN;in_p> 

{ CaseD : d ! { eData ) ;out_p<cases_DN;in_pt> 
{CaseDD: s?( schedule ); r ?( result ) ;0 , 
CaseDN : s?( schedule ); r ?( result ) ;0} , 
CaseN : d ! { eData ) ; out_p<cases_DN ; in_pt> 
{CaseND: s?( schedule ); r ?( result ) ;0 , 
CaseNN: s ?( schedule ); r ?( result ) ;0} } 
P' D = II Doctor 
a[2..4](d,s,r, in_p, out_p, 

in.d, out.d , in_n , out.n). 
out_d<lcases_DN ; in.dfr 

{ CaseD : d?(data);out_d<cases_DN;in_dt> 
{CaseDD : s ! ( eSchedule ) ; r ! ( eResult ) ; , 

CaseDN : r ! ( eResult );0} , 
CaseN: out_d<cases_DN ; in_dl> 
{CaseND : s ! ( eSchedule ) ; r ? ( eResult ) ; , 
CaseNN: r?( eResult );0} } 
P' N = II Nurse 

a [ 2 . . 4 ] ( d , s , r , in_p , out.p , 

in.d , out.d , in_n , out.n). 
out.n ocases.DN ; in_n> 
{CaseD: out.n <cases_DN ; in.n > 
{CaseDD: 0. 

CaseDN : s ! ( eSchedule ) ; } , 
CaseN : d?(data);out_n<cases_DN;in_nl> 
{CaseND: 0, 
CaseNN: s ! ( eSchedule ) ; } } 



PROOF: By induction on the number of non-conduction steps in £\Q)\\ — >* Q', using confluence and 
single-step completeness results. 

Healthcare Cooperation (3): Synchronisation Erasure The result of the erasure on the healthcare ex- 
ample from Section [3] is shown in Fig. 14.51 Since we have shown that the processes from the synchro- 
nisation example in Fig. 12.41 are well-typed in Proposition 13.11 we can apply Theorem 14.11 to provide 
a:{{G\)^P' c \P' P \P' D \P' N >®. 

As this example illustrates, the result of the erasure does not capture the nature of the situation in the 
same way, because it introduces a conductor process, which is not a natural part of the situation. It is not 
compact either, as the conductor process has 64 cases. Further we lose an accurate type abstraction of the 
dynamics of symmetric synchronisation, because it is not clear from the encoded type structure whether 
it is just a sequence of asymmetric branching actions or the (intended) atomic multiparty synchronisation, 
since some of the key operational structures of the encoding (e.g. random selection) is lost in the encoded 
type. 

4.3 Encodability Criterias 

The common properties of encodability from the known separation theorems (e.g. [18]) has been studied 
@, revealing a number of desirable criteria. Our encoding is type-based, so we cannot apply this untyped 
framework directly. However if we simply change the formulation to use the type-derivation instead of the 
process syntax, our encoding does fulfil the criteria. 

Before we can define and prove the criteria, we need to define the relations (xj and x 2 ) and properties 
(successful state) used to define the criteria. We select X[ as the process equivalence (=), and define 
01 ~2 Qi if and only if3Q.Qi—r*Q A Q 2 ^*Q- 
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Lemma 4.5 is a weak barbed reduction congruence. 

PROOF: Immediately x 2 is symmetric and reflective by definition. By the confluence, we can also prove 
its transitivity. 

To define a successful state, we introduce a new process constructor \J, and extend the typing system 
to accept yj , and extend the erasure to preserve y/. A process P is accepting if P = y/\P' for some P'. 

We list the new formulation for all the criteria and state the theorem. For the motivation of each 
criterion, see (3. Below, for the sake of readability, we omit T and A from the encoding. 

Compositionality criterion For every k-ary typing rule R in the typing system of ££\ and every subset of 
names N there exists a k-ary context Cp[(_i ,...,_<;) such that, for all 3l\, . . . , ^ with Fn(£§?i , . . . , = N, it 
holds that [r(^i , . . . , 9k)\ = C^( \S>i\ , . . . , {@ k j ). Note that the information given by derivation (typing) 
in S>\ :: P\ and & 2 -'Pi w& essential. 

Name Invariance criterion For every typing derivation @ ::P (P has derivation $!) and name substitution 
a, it holds that if a is injective, then \*2ig\ = \Sf\o' ; for every a G Jf , otherwise l^aj ~2 where 
o' is such that (p^(a(a)) = <r'( <pn(a)). Here (pn is called the renaming policy and captures how [•] 
translates channel names. 

Operational Correspondence criterion Let — >j denote the reduction relation of the system i. 

(1) Completeness: If 3l\ ::P\ and P\ P2 then there exists a ^2 P2 such that \@\\ -^2^2 [^2]- 

(2) Soundness: If\@\ :: Pi] Qi then there exists a S>2 Pi such that P\ -±\ P 2 and Q\ -^^2 

Divergence Reflection criterion If \<2) :: P\ — > w then P -^- m where — > m means infinite reductions. 

Success Sensitiveness criterion If @ :: P then P JJ- if and only if \2\ ij. where P J| means P can reach a 
successful state. 

Using the above definition, we arrive at the following main theorem. 

Theorem 4.6 The erasure mapping satisfies all the encodability criteria. 
5 Verifying CPG Descriptions 

This section describes how symmetric sum types can verify implementation conformance to a CPG ||2D 
described using the Process Matrix. The verification is performed by three steps in Fig. 15.11 as illustrated 
below. 

Process Matrix. The Process Matrix representation consists of a table with one row for each action. Each 
row has a number of columns: The Id and Name columns are used to identify the action, and the Prede- 
cessors column holds the Ids of the actions the action depends on. Before an action can be executed its 
predecessors must have been executed. If all the predecessors of an action have been executed we say that 
the action is executable. Finally there is one column for each participant (called roles), where the content 
is either R meaning the participant can read the action-data but not execute it, W meaning the participant can 
execute the action and read its data or N meaning the participant cannot execute the action or read its data 
(see lfl4l for a more adequate description). The Process Matrix in Fig. [5j] describes the scenario from the 
introduction, except that the patient automatically gives the data to both the doctor and the nurse, and the 
user can perform the actions multiple times (by an implicit recursion), until all the actions are executed. 
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Figure 5.1 Steps in verifying a CPG description 
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Id 


Name 


Patient 


Doctor 
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1 


Data 
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Schedule 


R 
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W 


1 
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Result 


R 
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Process Matrix lfl4ll 

Formal representation of CPGs 



Process Matrix Encoding 



{Pdata: l-»2:2 { String }; l->3 : 3 ( String ); u. stateD . 
j Pdata : 1^2:2 { String ) ; l->3:3 (String ) ; stateD , 
Dschedule : 2->l : 1 { S tri n g ) ;2^3 : 3 { S trin g ) ; u. stateDS 
Nschedule : 3-fl : 1 { String > ;3->2:2 < String ); u. stateDS 

> , n 



} 



{...} 
{...} 



Global Type 



Type Projections 



I Pdata : 2 ! { S tr i ng ) ; 2 ! ( S t ri ng ) ; u. stateD. 
I Pdata : 1^2:2 { String ) ; l->3:3 (String ) ; stateD 
Dschedule : 1 ?( String }; u. stateDS .{... } 
Nschedule : 1 ?( String }; u. stateDS .{... } 

} , . fl , 



Local Types 



} 



Verification 



sync ( ( p , d , n ) ,3) 

I Pdata : s [2] ! <e) ; s [3] ! <e) ; def StateD(s) = 
{ Pdata: s [2] !{e);s[3]!(e); StateD (s) , 

Dschedule : s [1] ?(x); def StateDS ( s ) = ... 

Nschedule: s [ 1] ?(x); def StateDS ( s ) = .. . 
} in StateD (s) } 



;ync((p,d,n) ,3) 



Implementations 



Process Matrix Encoding Any CPG in a Process Matrix can be encoded as a global type automatically. 
We explain this encoding by translating the above Process Matrix example. In the resulting type, the state 
is described by the set of actions that have been executed, leading to a finite but exponential number of 
states. The representation of each state (except the completed state) is a symmetric sum with one branch 
for each role that can execute each executable action. The content of each branch consists of the executing 
participant sending the created data to all other participants with read or write access, followed by the state 
where the executed action is added, and depending actions have been removed. 

Parts of the global type is included in Fig. 15.11 Notice that the resulting type uses recursion: this is to 
describe an implicit recursion in the Process Matrix where the state reached after an action does not have 
to be a new state, but can be the same as the state before the execution of the action, or even from previous 
steps. This is the case for the above example if the data is sent, the appointment is scheduled, and then the 
data is resent. The resulting state would then be the state where only the data action has been executed, 
which is the same as the second state. The described method can be extended to translate any Process 
Matrix into a global type. 

The conversion of CPGs from the Process Matrix, to session type allows the data to be exchanged 
directly between the participants, while the current implementations rely on a centralised database for the 
exchange. This means the translation offers a distributed implementation of the Process Matrix, which has 
not been known before. A formally defined symmetric global synchronisation primitive, together with its 
type discipline and encodability, offers a firm basis for such implementations. 

Projection and Verification When we have created the global type expressing the CPG, a process imple- 
menting one of the participants can be verified to conform with the workflow, by projecting the global type 
to the local type of that participant, and typechecking the process against the local type. Parts of the local 
type and the process for the Patient are described in Fig. 15. II 
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Figure 5.2 States and screenshots for the doctor GUI 
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Generalisation We have now described how to use the multiparty session types extended with symmetric 
sum, to express CPGs formalised using the Process Matrix. We believe many other workflow frameworks 
(such as large parts of the BPMN) can be encoded as multiparty session types with symmetric sum, and this 
would allow the type-system to serve as a common representation, enabling interaction between different 
frameworks and implementing features (such as automatic user-interface generation) only for symmetric 
sum types, and apply it to all the encoded frameworks. 

5.1 Implementation 

We have created an ascii syntax for the asynchronous 7t-calculus with multiparty sessions and symmetric 
synchronisation called APIMS, and implemented a typechecker and an interpreter. This is to our knowledge 
the first prototype implementation of the 7r-calculus with multiparty sessions and multiparty session types. 
The implementation along with example programs can be found on the APIMS website CQ. 

The implementation extends the calculus with a guisync constructor to support user interaction via 
GUIs. The guisync is the result of extending the sync for user input. Each label has a set of typed arguments 
that must be given using the GUI before that choice is accepted, and the given arguments can be used by the 
process in that branch. This simple extension allows the processes to implement GUIs and the type system 
guarantees that the GUI for each participant will respect the protocol, hence the workflow. The mandatory 
labels ensure that the GUI must allow all the users (the people using the interface for each participant) 
to agree in each synchronisation, thus avoiding the GUIs causing a disagreement w.r.t. the theory of a 
symmetric synchronisation. 

The GUI shows the received data, the choices offered by the process, input fields for the data needed 
for each choice, and buttons to accept/reject each choice. Fig. l5.2l shows three screen-shots, displaying the 
doctor's GUI for each state and how each choice affects the state. As soon as all the participants of a session 
accepts the same choice, the processes continue with the accepted branch. The GUI implementation for 
each participant can be created automatically from the Process Matrix. 

The original implementation of the Process Matrix called Online Consultant by Resultmaker lfl4l is 
database based. This means that communication consists of the sender uploading information to the server, 
and all participants must query the server when using the information. Implementing the workflows using 
the 7t-calculus and session types not only gives the Process Matrix a formal semantics, but also allows an 
implementation where participants communicate their data as peer-to-peer. This offers more natural and 
robust realisation of the workflows, and relieves the system from the server bottleneck. 
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6 Related and Future Work 

There are existing studies on self/broadcast synchronisations iflOl [191 . The symmetric sum proposed in 
the present paper is different because it allows all the participants to influence the choice equally and, to 
formulate this notion adequately, demands a session-based operational framework. Another difference is 
the use of the type discipline to control this complex synchronisation framework, which is not found in 
the foregoing work. Note that the type discipline allows multiparty progress and communication-safety 
for participants, which is not generally ensured in existing untyped self/broadcast synchronisation prim- 
itives. Our primitive and its type-checker are applicable not only to Process Matrix, but also multiparty 
synchronisations in general with strong safety guarantees. 

The symmetric synchronisation is similar to the consensus in Weak Byzantine Agreement (WBA) 
(7J [\3\ |2l [H which is a formalisation of the database commit problem. The similarity is that a number of 
processes need to end up with a common choice. In contrast to symmetric sum, WBA only has two possible 
choices (0 and 1). Not all participant has to initially accept the final decision, but if all processes agree 
initially, the result should be the initial preference. WBA is studied in an untyped settings on unreliable 
networks, with faulty processes (with arbitrary behaviour). 

The symmetric sum is also similar to the symmetric choice □ in CSP and the mixed choice in the 
7t-calculus lfl"8l . The main difference is these preceding primitives are restricted to two party synchroni- 
sations. Our result is consistent with the non-encodability of the mixed-choice 7t-calculus in the separated 
choice 7r-calculus lfT8l : our erasure is defined on typing derivations, and cannot be made homomorphic on 
processes. For example, take P = (va)(Pi |Pj) where 

Pi =a[2](j).sync{Zl:Pn,/2:Pi2} and P 2 = t?[2](s).sync{/l : P>i,/3 : P 23 }). 
This process shows that the erasure cannot be interpreted as an encoding from processes [•] where [Pi |P 2 J = 
[P1IHP2I, because the result of [Pi] depends on the context Pi is in: the conductor inserted by the second 
step of the erasure depends on the type of a which depends on the other process. In the given context, the 
conductor must consider the labels 11,12 and /3, and this could not be generated from [Pi] because Pi does 
not contain any information about 13. As noted above, the symmetric sum and synchronisation construct 
differs from the mixed choice and from the untyped asymmetric, directed sums whose encodability is stud- 
ied in 111611151 . in that it is multi-party synchronisation for a fixed number of participants ensured by the 
underlying session type discipline. 

Types for the multiparty interactions are studied in the conversation calculus Q and contracts Q. 
The former has choice behaviours where the channel-based communication is replaced by conversation 
environments allowing multiple participants, while the latter uses a process-based specification of protocols 
relying on internal and external choices, where conformance is formalised based on must preorder (so 
that we can ensure liveness). Our implementation crucially relies on the choreographic description based 
on global types: in particular, global types can offer a tractable, clear type-directed generation from the 
Process Matrices as described in Section [5] 

As future work, we plan to extend our work with logical assertions based on Q in order to describe and 
ensure the communicated data fulfil desired properties (for example, "the prescribed medicine doses are 
less than the lethal amount"). With the assertions, we can add arguments (state) to the recursive types, and 
conditions to the branches in a choice, so that it will lead to a more efficient generation from the Process 
Matrix. 
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